CN112383391A - Data security protection method based on data attribute authorization, storage medium and terminal - Google Patents
Data security protection method based on data attribute authorization, storage medium and terminal Download PDFInfo
- Publication number
- CN112383391A CN112383391A CN202011264244.2A CN202011264244A CN112383391A CN 112383391 A CN112383391 A CN 112383391A CN 202011264244 A CN202011264244 A CN 202011264244A CN 112383391 A CN112383391 A CN 112383391A
- Authority
- CN
- China
- Prior art keywords
- data
- authorization
- user
- key
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 108
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 54
- 239000006185 dispersion Substances 0.000 claims description 35
- 238000004364 calculation method Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000008520 organization Effects 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000007547 defect Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000009467 reduction Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of attribute authorization, data and file protection, financial security, data security and Internet of things security, and discloses a data security protection method, a storage medium and a terminal based on data attribute authorization, wherein a public and private signature key is generated by TEE, and a public key and a digital envelope key are uploaded to a trusted key management system; generating a random key as a working key, and encrypting the data block by adopting a national cryptographic algorithm based on the random key; restoring a random key according to the attribute and the identification key, and decrypting the data block; and judging whether the decrypted data block has the management authority, and if so, authorizing the data block to the authorized party again. The invention can satisfy multi-party or multi-level data sharing, fine-grained authorization and data protection, and can be used for data sharing between the terminal of the Internet of things and an entity, fine-grained authority control and data protection, fine-grained authorization of files in a cloud environment, secondary distribution and data security protection working scenes.
Description
Technical Field
The invention belongs to the technical field of attribute authorization, data and file protection, financial security, data security and Internet of things security, and particularly relates to a data security protection method based on data attribute authorization, a storage medium and a terminal.
Background
At present, with the development of the internet, the mobile internet technology, the internet of things and applications, fine-grained authorization, secondary distribution and data confidentiality of data need to be provided in a data sharing scene among different entities. For example: the affiliated organization shares data in multiple parties or multiple levels on the alliance chain, the affiliated organization A encrypts and protects the written data block, the ciphertext data needs to be shared and authorized to multiple parties, and only the authorized affiliated organization B user can decrypt the data. The affiliated organization B can authorize the affiliated organization C user or other users for two or more times, and the affiliated organization C user or other users can decrypt the data after obtaining authorization.
The currently common method for safely sharing data is as follows:
1) a symmetric or asymmetric algorithm is adopted for data encryption, the method is used for point-to-point encryption transmission or a scene shared by multiple people of secret keys, and secondary authorization and distribution operation are difficult to realize;
2) a centralized file management and control system is used for carrying out uniform authorized access control, and once the files or data fall to the ground, distribution control and privacy protection are difficult to control;
3) the international general algorithm of the digital envelope is adopted for protection, secondary distribution authorization control is difficult to realize, and the safety compliance of the national cryptographic algorithm is met.
The existing safety schemes are combined, and the data sharing operation of fine-grained authorization, privacy protection and secondary authorization of data is difficult to meet. Therefore, a new data security protection method is needed.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) the method for encrypting data by adopting a symmetrical or asymmetrical algorithm is difficult to realize secondary authorization and distribution operation.
(2) The method for performing uniform authorized access control by using a centralized file management and control system has the advantage that once a file or data falls to the ground, control and distribution control and privacy protection are difficult to perform.
(3) The international general algorithm of the digital envelope is adopted for protection, secondary distribution authorization control is difficult to realize, and the safety compliance of the national cryptographic algorithm is met.
(4) The existing safety schemes are combined, and the data sharing operation of fine-grained authorization, privacy protection and secondary authorization of data is difficult to meet.
The difficulty in solving the above problems and defects is:
(1) one-to-many fine-grained authorization and access control are realized;
(2) how to solve the problems of data sharing and secondary distribution;
(3) satisfy relevant laws and regulations in China, especially algorithm compliance;
the significance of solving the problems and the defects is as follows:
(1) the authorization and control of data under different scenes are solved;
(2) data protection of data sharing and secondary distribution is provided, and service requirements are met;
(3) and safety compliance of the algorithm is met.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a data security protection method based on data attribute authorization, a storage medium and a terminal, and particularly relates to a data protection method for performing fine-grained authorization and fusing a state encryption algorithm to protect data privacy and perform secondary distribution by adopting data attributes. TEE is a trusted execution environment the invention is realized in such a way, and a data security protection method based on data attribute authorization comprises the following steps:
the TEE uploads the generated signature public key and the digital envelope key to a trusted key management system; the trusted key management system protects the information uploaded by the area executing the trusted application program by using a digital envelope protection key and returns personalized attributes;
the TEE generates a random key as a working key, and encrypts a data block by adopting a national cryptographic algorithm based on the random key;
the user restores a random key according to the attribute and the identification key of the user and decrypts the data block; and the user judges whether the data block has the management authority according to the decrypted data block, and if the user has the management authority, the user authorizes the authorized party again.
Further, the encrypting the data block by using the cryptographic algorithm includes:
protecting the random key R by using a state cryptographic algorithm;
restoring the random key R by using a national cryptographic algorithm;
a shared data structure is defined.
Further, the cryptographic algorithm adopts the attribute of the user as an individualized parameter, and utilizes the public key of the user to perform reverse signature on the authorization list and protect the dispersion factors;
the national cryptographic algorithm takes the user identification as an attribute, and associates the 'not' of the revoked user identification with the ciphertext, so that the revoked user cannot decrypt the ciphertext; setting:
W=U\R;
wherein, U is an identification set of users in the system; r is a user revocation list which comprises ID ciphertext of a revoked user and is related to W;
the authorization party can decrypt the ciphertext only if the authorization party meets the condition that the ID belongs to W and the attribute is matched with the strategy; in the direct revocation mode, the unreleased user does not need to periodically update the key; when TEE is encrypted, a system attribute revocation list is defined to realize revocation of system attributes.
Further, the protecting the random key by using the cryptographic algorithm includes:
1) SM3 summarization is carried out on the user side attribute to obtain user side attribute summary information;
2) generating a disposable dispersion factor IV in the TEE, and decrypting the protected random key R by using the disposable dispersion factor IV to obtain an R dispersion result;
3) the obtained user authority list is abstracted one by one, reverse signature is carried out by using a user public key, and authority original texts are added in sequence after being encrypted respectively by using disposable dispersion factors to construct an authorization abstract result;
4) taking the R dispersion result generated in the step 2) as data, and taking the result of the authorization digest generated in the step 3) as a key to perform SM4 operation to obtain intermediate parameters;
5) carrying out XOR operation on the user attribute abstract information generated in the step 1) and the intermediate parameter generated in the step 4) to obtain a secret parameter;
6) the user authorization information is composed of four parts of a user ID, a secret parameter, an authorization abstract result and a disposable dispersion factor protected by a user public key; repeating steps 1) to 5) to build the authorization list CT as part of a newly defined digital envelope structure, depending on the number of authorized users.
Further, the restoring the random key R by using the cryptographic algorithm includes:
1) and (3) verifying the authorization information: comparing the authorization abstract information of the user read from the authorization list with the calculation abstract, and if the authorization abstract information has the authority, performing the next operation;
2) SM3 summarization is carried out on the user side attribute to obtain user side attribute summary information;
3) reading the security parameters of the user from the authorization list of the digital envelope;
4) carrying out XOR operation on the user attribute abstract information generated in the step 2) and the secret parameters generated in the step 3) to obtain intermediate parameters;
5) taking the user authorization digest read in the step 1) as a secret key, and performing SM4 operation on the intermediate parameter obtained by calculation in the step 4) to obtain an R dispersion result;
6) and (3) decrypting the dispersion factor protected by the user public key by using the private key of the user to obtain a result as a secret key, and performing encryption operation by using the R dispersion result obtained in the step 5) as data to restore and obtain the random secret key R.
Further, the data structure comprises version of data, summary information of data, timestamp, data block data, copyright, owner identification, authorization list CT and log.
Another object of the present invention is to provide a computer device, which includes a memory and a processor, wherein the memory stores a computer program, and the computer program, when executed by the processor, causes the processor to execute the data security protection method based on data attribute authorization.
Another object of the present invention is to provide a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program causes the processor to execute the data security protection method based on data attribute authorization.
Another objective of the present invention is to provide an information data processing terminal, which is used for implementing the data security protection method based on data attribute authorization.
The invention also aims to provide an application of the data security protection method based on data attribute authorization to multi-party or multi-level data sharing on the affiliated alliance chain.
By combining all the technical schemes, the invention has the advantages and positive effects that: the data security protection method based on the data attribute authorization provided by the invention is a method for protecting and accessing a working key of shared data based on the data user attribute, authorization information and a public-private key fusion cryptographic algorithm, so as to meet the requirements of multi-party or multi-level data sharing, fine-grained authorization and data protection, can be used for data sharing, fine-grained authority control and data protection between an internet of things terminal and an entity, and can also be used for fine-grained authorization, secondary distribution and data security protection working scenes of files in a cloud environment.
The invention combines the algorithms of digest, encryption, decryption, signature and the like of the national password by means of the attribute of the user, the authorization list, the disposable dispersion factor and the public and private key of the user, and completes the process of generating and restoring the protected key in the TEE environment; the attribute of the user is used as the personalized parameter, the public key of the user is used for carrying out reverse signature on the authorization list and protecting the dispersion factors, and the fact that only the user can decrypt the disposable dispersion factor IV is ensured. The invention can realize the random key for protecting the encrypted shared data based on the attribute authorization, thereby realizing the scene application of encryption protection, secondary or authorization of multi-party or multi-stage data sharing on a alliance chain by the affiliated mechanism.
The invention optimizes the traditional digital envelope structure, improves by referring to the CP-ABE algorithm, and improves the security by fusing the national encryption algorithm so as to ensure the confidentiality and the access control to sensitive data, wherein the sensitive data are only accessed by an authorized entity holding the public and private keys and attribute sets of the user. The cryptographic algorithm is used for realizing fine-grained access control, effectively defending against multi-user collusion attack, and realizing privacy protection, secondary authorization and data security sharing of data while the authorization traceability is realized. The advantages of the invention also include:
(1) the scheme combines a state cryptographic algorithm to carry out data protection and integrity verification. The encrypted data (using the cryptographic algorithm) and the security parameters (obtained based on the attribute authorization, the user identification key and the work key R by decentralized calculation) can be securely distributed over an insecure network or stored in an honest but curious untrusted third party (i.e. a cloud provider). Therefore, the algorithm can realize confidentiality and a fine-grained control access mechanism based on attribute authorization. The calculation efficiency is improved by applying the national cryptographic algorithm and the safety compliance is met;
(2) the data sharing structure of the digital envelope is newly defined, and multi-scene application is facilitated. The calculation performance is improved by encrypting a large amount of message data with variable sizes by means of a symmetric cipher. Meanwhile, data management and control capabilities of data copyright, owner and distribution operation tracing are provided;
(3) protecting the working key by combining user data attribute authorization and the identification key, and decrypting and recovering the working key only by an authorization entity with effective attribute and the identification key so as to start a cryptographic algorithm for the encrypted data to decrypt the protected data;
(4) the user with secondary distribution capability can perform secondary authorization by combining the attributes of the new user without changing the original encrypted data packet, copyright and owner information, and simultaneously record a traceable log;
(5) by using the mature experience of the traditional digital envelope for reference, the attribute authorization, the identification key and the national encryption algorithm are integrated, and the problem of protecting the symmetric key during data sharing and authorization is creatively solved;
(6) the TEE environment is adopted to ensure the safe application of the identification key, the SM-ABE algorithm and the national encryption algorithm, and the safety of data sharing and secondary authorization distribution is deeply improved.
The following effects can be achieved from the aspect of safety through the use of the method:
1) privacy protection: the privacy of the data is protected in the whole system structure, and only the user who meets the attribute strategy and holds the identification key can access the data and obtain the corresponding decryption key.
2) Fine-grained access control: the data owners generate corresponding authorized access policies for their data, which can grant or revoke access rights of users in a fine-grained manner by modifying access attributes.
3) And (3) mutual identity authentication: in order to protect the security of the participants, the system should provide mutual authentication to ensure that a trusted connection is established between the communicating entities.
4) Prevention of counterfeit attacks: since only the user holding the authorization attribute and the identification key of the authorized user and protected in the TEE can decrypt the secret parameters, the protected data is obtained through calculation, and if an adversary pretends to be a legal user and tries to access the protected shared data, the protected shared data cannot be obtained.
5) And (3) resisting collision attack: the symmetric key adopts true random numbers and uses a user identification key and an attribute strategy to carry out decentralized protection, so that collision attack can be resisted.
6) Defending against man-in-the-middle attacks: the digital envelope records copyright and traceable log, and the integrity and authenticity of information can be identified through verification.
7) Confusion resistance: unauthorized data cannot be accessed between users through shared keys or collusion.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a data security protection method based on data attribute authorization according to an embodiment of the present invention.
Fig. 2 is a logic flow diagram of the SM-ABE algorithm provided by an embodiment of the present invention.
Fig. 3 is a schematic diagram of an encryption flow provided by an embodiment of the present invention.
Fig. 4 is a schematic diagram of a decryption process according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In view of the problems in the prior art, the present invention provides a data security protection method, a storage medium and a terminal based on data attribute authorization, and the present invention is described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the data security protection method based on data attribute authorization provided in the embodiment of the present invention includes the following steps:
s101, parameter initialization: the TEE generates a signature public and private key and uploads the public key and the digital envelope key to a trusted key management system TKMS; the trusted key management system TKMS protects the key with a digital envelope protection and returns the personalization attributes.
S102, encryption and authorization: the TEE generates a true random number R as a working key, and encrypts the data block by using the true random number R and adopting a state cipher algorithm.
S103, decryption: b, restoring a secret key R according to the attribute and the identification secret key of the user; b, decrypting the data block by using R; and the TEE judges whether the management authority exists according to the decrypted data block, and if the B has the management authority, the B can authorize the C again.
The present invention will be further described with reference to the following examples.
1. SM-ABE Algorithm overview
By means of the attribute of a user, an authorization list, a one-time dispersion factor and a public and private key of the user, algorithms such as an abstract, encryption, decryption and signature of a national key are fused, and the generation and restoration processes of the protected key are completed in a TEE environment. In the algorithm, the attribute of a user is used as an individualized parameter, a public key of the user is used for carrying out reverse signature on the authorization list and protecting the dispersion factors, and the fact that only the user can decrypt the disposable dispersion factor IV is ensured. The random key for protecting the encrypted shared data based on attribute authorization can be realized by using the algorithm, so that the scene application of encryption protection, secondary or authorization for multi-party or multi-stage data sharing on a alliance chain by the affiliated mechanism is realized.
The algorithm provides a direct revocation thought of SM-ABE, the user identification is used as an attribute, and the 'not' of the revoked user identification is associated with the ciphertext, so that the revoked user cannot decrypt the ciphertext. Setting W as U \ R, wherein: u is an identification set of users in the system; r is a user revocation list containing ID. ciphertext of a revoked user associated with W. The recipient can decrypt the ciphertext only if the ID belongs to W and the attribute is matched with the strategy. In the direct revocation mode, the non-revoked users do not need to periodically update the keys. When the sender encrypts, a system attribute revocation list is defined to realize revocation of the system attribute.
2. SM-ABE algorithm process
The SM-ABE algorithm mainly comprises a protection random number R and a reduction random number R, and in order to ensure the safety of the SM-ABE algorithm, the operation is completed in the TEE. The SM-ABE algorithm logic flow diagram is shown in figure 2.
2.1 protecting random number R using SM-ABE Algorithm
1) SM3 summarization is carried out on the user side attribute to obtain user side attribute summary information;
2) generating a disposable dispersion factor IV in a TEE (representing an area which is isolated from other modules in the SoC and can execute trusted application programs (TAs)), and decrypting the protected random key R by using the disposable dispersion factor IV to obtain an R dispersion result;
3) the obtained user authority list is abstracted one by one, reverse signature is carried out by using a user public key, and authority original texts are added in sequence after being encrypted respectively by using disposable dispersion factors to construct an authorization abstract result;
4) taking the R dispersion result generated in the step 2 as data, and taking the result of the authorization digest generated in the step 3 as a key to perform SM4 operation to obtain intermediate parameters;
5) carrying out XOR operation on the user attribute abstract information generated in the step 1 and the intermediate parameter generated in the step 4 to obtain a secret parameter;
6) the user authorization information is composed of four parts of user ID, secret parameters, authorization abstract results and disposable dispersion factors protected by a user public key. And (5) repeating the steps from 1 to 5 to construct an authorization list CT according to the number of authorized users, wherein the authorization list CT is used as a part of a digital envelope structure newly defined by the scheme.
2.2 reduction of random number R Using SM-ABE Algorithm
1) And (3) verifying the authorization information: comparing the authorization abstract information of the user read from the authorization list with the abstract calculated according to the step 3 in the step 2.4.2.1, and if the authorization list has the authority, performing the next operation;
2) SM3 summarization is carried out on the user side attribute to obtain user side attribute summary information;
3) reading the security parameters of the user from the authorization list of the digital envelope;
4) carrying out XOR operation on the user attribute abstract information generated in the step 2 and the secret parameters generated in the step 3 to obtain intermediate parameters;
5) taking the user authorization digest read in the step 1 as a secret key, and performing SM4 operation on the intermediate parameter obtained by calculation in the step 4 to obtain an R dispersion result;
6) and (5) decrypting the dispersion factor protected by the user public key by using the private key of the user to obtain a result as a secret key, and performing encryption operation by using the R dispersion result obtained in the step 5 as data to restore and obtain the random secret key R.
3. Shared data structure definition
Table 1 shared data structure definition
4. Specific algorithm of each step
(1) Parameter initialization
1) The TEE generates a signature public and private key and uploads a public key certificate and a digital envelope key to the trusted key management system TKMS.
2) The trusted key management system TKMS protects the key with a digital envelope protection and returns the personalization attributes.
(2) Encryption and authorization link
The TEE generates a true random number R as a working key, and encrypts the data block by using the true random number R and adopting a state cipher algorithm.
The schematic diagram of the encryption flow is shown in fig. 3.
(3) Decryption link
1) B, restoring a secret key R according to the attribute and the identification secret key of the user;
2) b, decrypting the data block by using R;
3) and the TEE judges whether the management authority exists according to the decrypted data block, and if the B has the management authority, the B can authorize the C again.
The decryption flow diagram is shown in fig. 4.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When used in whole or in part, can be implemented in a computer program product that includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A data security protection method based on data attribute authorization is characterized in that the data security protection method based on data attribute authorization comprises the following steps:
generating a public and private key pair in the TEE, and uploading the public key and the digital envelope key to a trusted key management system; the trusted key management system protects the information uploaded by the area executing the trusted application program by using a digital envelope protection key and returns personalized attributes;
the TEE generates a random key as a working key, and encrypts a data block by adopting a national cryptographic algorithm based on the random key;
the user restores the random key according to the attribute and the identification key of the user and decrypts the data block; and the user judges whether the data block has the management authority according to the decrypted data block, and if the user has the management authority, the user authorizes the authorized party again.
2. The data security protection method based on data attribute authorization according to claim 1, wherein the encrypting the data block by using a cryptographic algorithm comprises:
protecting the random key R by using a state cryptographic algorithm;
restoring the random key R by using a national cryptographic algorithm;
a shared data structure is defined.
3. The data security protection method based on data attribute authorization according to claim 2, characterized in that the cryptographic algorithm adopts the attribute of the user as the personalized parameter, and utilizes the public key of the user to sign the authorization list reversely and protect the dispersion factor;
the national cryptographic algorithm takes the user identification as an attribute, and associates the 'not' of the revoked user identification with the ciphertext, so that the revoked user cannot decrypt the ciphertext; setting:
W=U\R;
wherein, U is an identification set of users in the system; r is a user revocation list which comprises ID ciphertext of a revoked user and is related to W;
the authorization party can decrypt the ciphertext only if the authorization party meets the condition that the ID belongs to W and the attribute is matched with the strategy; in the direct revocation mode, the unreleased user does not need to periodically update the key; when TEE is encrypted, a system attribute revocation list is defined to realize revocation of system attributes.
4. The data security protection method based on data attribute authorization according to claim 2, wherein the protecting the random key by using a cryptographic algorithm comprises:
1) SM3 summarization is carried out on the user side attribute to obtain user side attribute summary information;
2) generating a disposable dispersion factor IV in the TEE, and decrypting the protected random key R by using the disposable dispersion factor IV to obtain an R dispersion result;
3) the obtained user authority list is abstracted one by one, reverse signature is carried out by using a user public key, and authority original texts are added in sequence after being encrypted respectively by using disposable dispersion factors to construct an authorization abstract result;
4) taking the R dispersion result generated in the step 2) as data, and taking the result of the authorization digest generated in the step 3) as a key to perform SM4 operation to obtain intermediate parameters;
5) carrying out XOR operation on the user attribute abstract information generated in the step 1) and the intermediate parameter generated in the step 4) to obtain a secret parameter;
6) the user authorization information is composed of four parts of a user ID, a secret parameter, an authorization abstract result and a disposable dispersion factor protected by a user public key; repeating steps 1) to 5) to build the authorization list CT as part of a newly defined digital envelope structure, depending on the number of authorized users.
5. The data security protection method based on data attribute authorization according to claim 2, wherein the using a cryptographic algorithm to recover the random key R comprises:
1) and (3) verifying the authorization information: comparing the authorization abstract information of the user read from the authorization list with the calculation abstract, and if the authorization abstract information has the authority, performing the next operation;
2) SM3 summarization is carried out on the user side attribute to obtain user side attribute summary information;
3) reading the security parameters of the user from the authorization list of the digital envelope;
4) carrying out XOR operation on the user attribute abstract information generated in the step 2) and the secret parameters generated in the step 3) to obtain intermediate parameters;
5) taking the user authorization digest read in the step 1) as a secret key, and performing SM4 operation on the intermediate parameter obtained by calculation in the step 4) to obtain an R dispersion result;
6) and (3) decrypting the dispersion factor protected by the user public key by using the private key of the user to obtain a result as a secret key, and performing encryption operation by using the R dispersion result obtained in the step 5) as data to restore and obtain the random secret key R.
6. The data security protection method based on data attribute authorization according to claim 2, characterized in that the data structure comprises version of data, summary information of data, time stamp, data block data, copyright, owner identification, authorization list CT, log.
7. A computer device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the method of data security protection based on data attribute authorization of any of claims 1 to 6.
8. A computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to execute the data security protection method based on data attribute authorization of any one of claims 1 to 6.
9. An information data processing terminal, characterized in that the information data processing terminal is used for implementing the data security protection method based on data attribute authorization as claimed in any one of claims 1 to 6.
10. The application of the data security protection method based on data attribute authorization according to any claim 1 to 6 in multi-party or multi-level data sharing on the affiliated alliance chain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011264244.2A CN112383391B (en) | 2020-11-12 | 2020-11-12 | Data security protection method based on data attribute authorization, storage medium and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011264244.2A CN112383391B (en) | 2020-11-12 | 2020-11-12 | Data security protection method based on data attribute authorization, storage medium and terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112383391A true CN112383391A (en) | 2021-02-19 |
| CN112383391B CN112383391B (en) | 2024-03-19 |
Family
ID=74583526
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011264244.2A Active CN112383391B (en) | 2020-11-12 | 2020-11-12 | Data security protection method based on data attribute authorization, storage medium and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112383391B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113362147A (en) * | 2021-05-17 | 2021-09-07 | 杭州师范大学 | Traceable electronic auction method based on multiple authorization centers under Internet of things |
| CN113660235A (en) * | 2021-08-10 | 2021-11-16 | 中和易茂科技服务(北京)有限公司 | Data security sharing method, memory and processor |
| CN114050915A (en) * | 2021-10-25 | 2022-02-15 | 安徽中科晶格技术有限公司 | Fine-grained permission access synchronization method, device and equipment under isolated network |
| CN115242392A (en) * | 2022-08-01 | 2022-10-25 | 北京成鑫盈通科技有限公司 | Method and system for realizing industrial information safety transmission based on safety transmission protocol |
| CN115988012A (en) * | 2021-10-13 | 2023-04-18 | 中移物联网有限公司 | Device use permission sharing method and device, electronic device and storage medium |
| WO2023207975A1 (en) * | 2022-04-26 | 2023-11-02 | 维沃移动通信有限公司 | Data transmission method and apparatus, and electronic device |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050223047A1 (en) * | 2003-08-21 | 2005-10-06 | Microsoft Corporation | Systems and methods for synchronizing computer systems through an intermediary file system share or device |
| KR20120041904A (en) * | 2010-10-22 | 2012-05-03 | 동국대학교 경주캠퍼스 산학협력단 | Proxy based privilege management method and apparatus for accessing health data in cloud computing environment |
| CN104145445A (en) * | 2012-03-06 | 2014-11-12 | 诺基亚公司 | Methods, apparatuses, and computer-readable storage media for securely accessing social networking data |
| CN104221321A (en) * | 2012-03-31 | 2014-12-17 | 诺基亚公司 | Method and apparatus for secured social networking |
| CN104969224A (en) * | 2013-03-13 | 2015-10-07 | 谷歌公司 | Tailoring user experience for unrecognized and new users |
| CN106101131A (en) * | 2016-07-06 | 2016-11-09 | 杨炳 | A kind of encryption system realizing supporting fine-granularity access control |
| WO2016197770A1 (en) * | 2015-06-12 | 2016-12-15 | 深圳大学 | Access control system and access control method thereof for cloud storage service platform |
| KR101701304B1 (en) * | 2015-09-30 | 2017-02-02 | 고려대학교 산학협력단 | Method and system for managing medical data using attribute-based encryption in cloud environment |
| US20170344983A1 (en) * | 2016-05-30 | 2017-11-30 | Business Information Exchange System Corp. | BIXCoin: A Secure Peer-to-Peer Payment System Based on the Public Payments Ledger |
| CN110035065A (en) * | 2019-03-12 | 2019-07-19 | 华为技术有限公司 | Data processing method, relevant apparatus and computer storage medium |
| CN110035067A (en) * | 2019-03-13 | 2019-07-19 | 西安电子科技大学 | The encryption attribute method of efficient data duplicate removal and attribute revocation is supported in cloud storage |
| CN110321721A (en) * | 2019-07-02 | 2019-10-11 | 石家庄铁道大学 | Electronic health record access control method based on block chain |
| CN110336665A (en) * | 2019-07-11 | 2019-10-15 | 成都卫士通信息产业股份有限公司 | A kind of big data message encryption method, device |
| CN110611662A (en) * | 2019-08-30 | 2019-12-24 | 徐州工业职业技术学院 | Attribute-based encryption-based fog collaborative cloud data sharing method |
| CN110636500A (en) * | 2019-08-27 | 2019-12-31 | 西安电子科技大学 | Access control system and method supporting cross-domain data sharing and wireless communication system |
| CN111147460A (en) * | 2019-12-16 | 2020-05-12 | 重庆邮电大学 | Block chain-based cooperative fine-grained access control method |
| CN111327597A (en) * | 2020-01-21 | 2020-06-23 | 暨南大学 | Digital evidence obtaining method based on block chain privacy protection and fine-grained access control |
-
2020
- 2020-11-12 CN CN202011264244.2A patent/CN112383391B/en active Active
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050223047A1 (en) * | 2003-08-21 | 2005-10-06 | Microsoft Corporation | Systems and methods for synchronizing computer systems through an intermediary file system share or device |
| KR20120041904A (en) * | 2010-10-22 | 2012-05-03 | 동국대학교 경주캠퍼스 산학협력단 | Proxy based privilege management method and apparatus for accessing health data in cloud computing environment |
| CN104145445A (en) * | 2012-03-06 | 2014-11-12 | 诺基亚公司 | Methods, apparatuses, and computer-readable storage media for securely accessing social networking data |
| CN104221321A (en) * | 2012-03-31 | 2014-12-17 | 诺基亚公司 | Method and apparatus for secured social networking |
| CN104969224A (en) * | 2013-03-13 | 2015-10-07 | 谷歌公司 | Tailoring user experience for unrecognized and new users |
| WO2016197770A1 (en) * | 2015-06-12 | 2016-12-15 | 深圳大学 | Access control system and access control method thereof for cloud storage service platform |
| KR101701304B1 (en) * | 2015-09-30 | 2017-02-02 | 고려대학교 산학협력단 | Method and system for managing medical data using attribute-based encryption in cloud environment |
| US20170344983A1 (en) * | 2016-05-30 | 2017-11-30 | Business Information Exchange System Corp. | BIXCoin: A Secure Peer-to-Peer Payment System Based on the Public Payments Ledger |
| CN106101131A (en) * | 2016-07-06 | 2016-11-09 | 杨炳 | A kind of encryption system realizing supporting fine-granularity access control |
| CN110035065A (en) * | 2019-03-12 | 2019-07-19 | 华为技术有限公司 | Data processing method, relevant apparatus and computer storage medium |
| CN110035067A (en) * | 2019-03-13 | 2019-07-19 | 西安电子科技大学 | The encryption attribute method of efficient data duplicate removal and attribute revocation is supported in cloud storage |
| CN110321721A (en) * | 2019-07-02 | 2019-10-11 | 石家庄铁道大学 | Electronic health record access control method based on block chain |
| CN110336665A (en) * | 2019-07-11 | 2019-10-15 | 成都卫士通信息产业股份有限公司 | A kind of big data message encryption method, device |
| CN110636500A (en) * | 2019-08-27 | 2019-12-31 | 西安电子科技大学 | Access control system and method supporting cross-domain data sharing and wireless communication system |
| CN110611662A (en) * | 2019-08-30 | 2019-12-24 | 徐州工业职业技术学院 | Attribute-based encryption-based fog collaborative cloud data sharing method |
| CN111147460A (en) * | 2019-12-16 | 2020-05-12 | 重庆邮电大学 | Block chain-based cooperative fine-grained access control method |
| CN111327597A (en) * | 2020-01-21 | 2020-06-23 | 暨南大学 | Digital evidence obtaining method based on block chain privacy protection and fine-grained access control |
Non-Patent Citations (5)
| Title |
|---|
| 张小红;涂平生;: "CP-ABE与数字信封融合技术的云存储安全模型设计与实现", 计算机应用与软件, no. 09 * |
| 李晖;李凤华;曹进;牛孙文海;耿魁;: "移动互联服务与隐私保护的研究进展", 通信学报, no. 11 * |
| 熊金波;李凤华;王彦超;马建峰;姚志强;: "基于密码学的云数据确定性删除研究进展", 通信学报, no. 08 * |
| 苏杰波;张小萍;李道丰;赵搏文;周凯;: "一种同态密码体制下加密云数据的隐私保护CART算法", 小型微型计算机系统, no. 11 * |
| 金瑜;王凡;赵红武;邓莉;: "云计算环境下信任机制综述", 小型微型计算机系统, no. 01 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113362147A (en) * | 2021-05-17 | 2021-09-07 | 杭州师范大学 | Traceable electronic auction method based on multiple authorization centers under Internet of things |
| CN113362147B (en) * | 2021-05-17 | 2023-02-10 | 杭州师范大学 | Traceable electronic auction method based on multiple authorization centers under Internet of things |
| CN113660235A (en) * | 2021-08-10 | 2021-11-16 | 中和易茂科技服务(北京)有限公司 | Data security sharing method, memory and processor |
| CN115988012A (en) * | 2021-10-13 | 2023-04-18 | 中移物联网有限公司 | Device use permission sharing method and device, electronic device and storage medium |
| CN114050915A (en) * | 2021-10-25 | 2022-02-15 | 安徽中科晶格技术有限公司 | Fine-grained permission access synchronization method, device and equipment under isolated network |
| CN114050915B (en) * | 2021-10-25 | 2024-03-15 | 安徽中科晶格技术有限公司 | Fine granularity authority access synchronization method, device and equipment under isolated network |
| WO2023207975A1 (en) * | 2022-04-26 | 2023-11-02 | 维沃移动通信有限公司 | Data transmission method and apparatus, and electronic device |
| CN115242392A (en) * | 2022-08-01 | 2022-10-25 | 北京成鑫盈通科技有限公司 | Method and system for realizing industrial information safety transmission based on safety transmission protocol |
| CN115242392B (en) * | 2022-08-01 | 2024-03-26 | 北京成鑫盈通科技有限公司 | Method and system for realizing industrial information safety transmission based on safety transmission protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112383391B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112383391B (en) | Data security protection method based on data attribute authorization, storage medium and terminal | |
| CN106104562B (en) | System and method for securely storing and recovering confidential data | |
| Riedel et al. | A framework for evaluating storage system security | |
| KR100969241B1 (en) | Method and system for managing data on a network | |
| CN106888084B (en) | Quantum fort machine system and authentication method thereof | |
| CN109361668A (en) | A kind of data trusted transmission method | |
| TW201814496A (en) | Data storage method, data acquisition method, device and system wherein security of both the data key and the data ciphertext is ensured because the data key shared by the first device and the second device is protected under the storage root key of the respective trusted platform modules | |
| US20060155991A1 (en) | Authentication method, encryption method, decryption method, cryptographic system and recording medium | |
| US9672333B2 (en) | Trusted storage | |
| WO2014114080A1 (en) | Method and system for data encryption protection | |
| WO2022148182A1 (en) | Key management method and related device | |
| CN113541935B (en) | Encryption cloud storage method, system, equipment and terminal supporting key escrow | |
| WO2008148114A1 (en) | Trusted storage | |
| JP2022550774A (en) | Key generation for use in secure communications | |
| JP2022542095A (en) | Hardened secure encryption and decryption system | |
| CN115426136A (en) | Cross-domain access control method and system based on block chain | |
| CN110233729B (en) | Encrypted solid-state disk key management method based on PUF | |
| US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
| CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
| CN115412236A (en) | Method for key management and password calculation, encryption method and device | |
| EP1836794A2 (en) | Authentication method, encryption method, decryption method, cryptographic system and recording medium | |
| Thangavel et al. | A survey on security over data outsourcing | |
| WO2023151427A1 (en) | Quantum key transmission method, device and system | |
| US20240154806A1 (en) | Anti-cloning of device cryptographic keys for counterfeit prevention |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |